Report: The state of secure identity 2022

A new report from Okta has found that credential stuffing as a means of breaching Customer Identity and Access Management (CIAM) services is accelerating, fuelled by password reuse coupled with malicious bots and other automated tools.

The State of Secure Identity 2022 report, which is based on self-reported data from customers of Okta’s Auth0 access management platform across the globe, found that 34% of all traffic across Auth0 network consists of credential stuffing attempts—amounting to nearly 10 billion attempts. In the first quarter of 2022, the Auth0 network tracked two of the largest credential stuffing spikes ever on the platform, with more than 300 million attempts per day.

Furthermore, the report found that credential stuffing accounts for 61% of overall login events in the US, soaring to 85% after an attack in March 2022, with credential stuffing vastly exceeding signup attacks, MFA (multifactor authentication) bypass attacks, normal traffic, and genuine user failures in the same region.

Attacks against CIAM

Attacks that target CIAM services come in many forms, from manually operated efforts to large scale approaches that employ extensive automation capabilities and brute force tactics. Auth0’s report groups CIAM attacks into three key categories: fraudulent registrations, credential stuffing and MFA bypass, with session hijacking, password spraying, and session ID URL rewriting also making up a percentage of notable identity attacks.

According to the report, fraudulent registrations are a growing threat. Auth0 found that the energy and utilities and financial services sectors experience the highest proportion of signup attacks, with such threats accounting for the majority of registration attempts in those two industries.

When it comes to credential stuffing, while most industries experienced a credential stuffing rate that amounted to less than 10% of login events, the report found that in retail/e-commerce, financial services, entertainment and energy/utilities industries, these attacks represented the majority of login attempts.

Across Auth0’s platform, credential stuffing accounts for 34% of overall traffic/authentication events, while signup fraud accounted for approximately 23% of signup attempts in first 90 days of 2022, up from 15% in the same period last year.

The report also found that the first half of 2022 saw a higher baseline of attacks against MFA than any previous year in Auth0’s dataset.

Uber’s most recent security breach is one such example of this type of attack, caused by an employee accepting a two-factor authentication request submitted by a hacker after the hacker had gained access to the employee’s credentials on the dark web.

As cited in Auth0’s report, Verizon’s Data Breach Investigation Report 2022 found that almost half of data breaches start with stolen credentials, making account takeover the number one threat for employees and customers, while over 80% of the breaches involving attacks against Web Applications can be attributed to stolen credentials.

Actions CISOs can take to prevent fraudulent access 

For customer-facing application and service providers, having a security perimeter that consists of robust and resilient CIAM capabilities is a must, in order to safeguard against fraudulent registrations and account takeovers and the significant consequences caused by these abuses.

To protect against these types of attacks, Auth0’s report recommends a number of solutions that involve combining multiple security tools that can operate at different layers and form a unified defensive position. These include implementing MFA, using generic failure messages that do not reveal system details, limiting failed login attempts, and implementing secure session management practices.

Enforcing strong passwords that have a minimum length, complexity and rotation based on NIST (National Institute of Standards and Technology) recommendations— alongside monitoring for breached password use, not shipping products with default credentials or storing plain text passwords—are also ways CISOs can protect their organisation from CIAM attacks.

In her opening forward for the report, Auth0 CISO Jameeka Aaron said that CIAM is a unique segment of the wider Identity and Access Management (IAM) market, as customer-facing applications face a different threat landscape.

“While workforce identity management can accommodate comparatively higher friction and can often count on a user base that has undergone security awareness training, CIAM lacks these factors and must rely on more subtle techniques to achieve and maintain a strong security posture,” she wrote.